Google Account Hijacked or Just a Bug?

Google thinks I am another user again! I first encountered this while I was on the Google Analytics page where I got logged in as another user and was able to browse his/her reports. This is the second time I am encountering this and it happened while I was doing a search for “changmorgan@gmail.com“.

[youtube]http://www.youtube.com/watch?v=QbnUMxD0lCM[/youtube]

It seems like I am not the only one having the problem as you can see from the thread “HIjacked Account: Do something about it !!!” in the Google AdWords Help forum. I am linking to the cached version because the original thread seems to have been removed. Is Google trying to hide anything? I hope not.

This is definitely a serious issue which I hope Google will contact affected users regarding. Imagine someone peaking into your emails, calendars, documents and every other services which your Google Account (thanks to OpenID) can be used for. Anyone else encountering issues with your Google Account?

UPDATE 2: I have got more threads posted under my account on Google Earth and Google Chrome help forums! I have also gotten more news from users whom experience the same issues and they all seemed to be from Singapore as well. Is this a Singapore-only issue?

From Priyan:

Dear Derick,

Just wanted to inform that when i opened google.com/notebook, instead of seeing my notes, it showed your account (See attached), like the way you see it. If you carefully read the below thread, this security issue is not just to google notebooks, but also google profile, google contacts and google help (So far).

Guyz, The danger has come and i am gonna delete all of my google account except the email (for which i need few months).

I posted the issues at security@google.com, which went unanswered. Google was a god given gift for me, but they are not caring about security issues.

Somebody here if you can help, it would be grateful.

Priyan

From Max:

Hi everyone,

Are we all based in Singapore? It could be the login server? Or is the application server the one that is getting confused?

I think they did mention something about the 2 accounts being different, either that in the process of being linked.

Under my GMAIL profile, I had Aussie Pete in my display name.

Cheers!
Max

From Peter:

Hi – yes it was very strange when I posted my question on google help…
because there was no profile created, I went in and edited it, thinking that
it was my profile (didn’t notice the email address at the top of the page
was showing Max’s address and not mine).

Once I noticed, I went back and logged in as myself with my email address
and created my own profile.

At the time, I though perhaps google was somehow defaulting to a ‘pretend’
person until my own profile was created… obviously this mustn’t be the
case.

Thanks for looping me in – very strange occurrence indeed. I also use
googleapps for many things… including more than just this one domain.

UPDATE 3: This is getting ridiculous, I am getting more users getting logged on as me on Google each day. More threads posted by not-me on AdSense and Webmaster help forums. There also seem to be more users experiencing the same issues apart from the original group that emailed me. It also seems more likely that this is really an issue affecting Singapore users only. I further suspect that this affects SingNet users only due to the invisible proxy SingNet places over your HTTP traffic which makes you take on a different public IP each time. If you are experiencing the same issues, please drop a comment stating the country you are from and your ISP. Anyone reading this thread, please help to spread the news to your friends who has a way to get to someone from Google! Thanks!

UPDATE 4: Seems like it is really an issue with SingNet. Priyan has an update over at his blog that Google has responded and fixed the issue.

Hi Priyan,

The issue you’re describing was reported by a small number of users
visiting a Google Help Center page from your ISP. As you described, those
users could become partially logged into the account of a recent viewer of
the same page from the same ISP. We have fixed the issue completely, and
we apologize for any inconvenience.

Derick, I found your blog after I took on your identity on the Google AdSense Forum and googled your username to see who you might be.

This problem has been happening a lot to me too over the past two months. I reported it on the AdSense forum but it’s not getting much attention yet. I’m from Singapore too, so perhaps there really is a Singapore connection. You can view the thread on the AdSense forum if you like:

@madden: I am actually suspecting that this is an issue with SingNet. SingNet pipes all HTTP traffic by default over a list of proxies unless you specify on your browser. Not sure if the rest who are affected are using SingNet though.

I and many others am still trying to spread this news via all means. Hopefully someone will look into this soon.

Derick, thanks, glad that you guys are on top of this. I’m not that tech sophisticated and wouldn’t know to suspect the proxy servers. I thought Google was somehow messing up its cookies. I am with Singnet though. Is there a common board somewhere where all affected users can meet and discuss? One of the affected on AdSense replied to my post and confirmed he’s also from Singapore.

Were you using a https (secure) connection when you logged into your account?

I’m just wondering if https connections are also affected.

(I’m from Singapore too so I’m worried as well.)

http://derickng.com Derick

Yup, most of Google services are via HTTPS except for a few probably but I doubt that makes a difference for this. The key issue is that Google somehow associates one user account with another.

Hasina

How to stop this!

madden

I wonder if this might be browser related as well. I only ever use IE when I visit the Google forums. I’m going to try using Chrome and see over the next week or so whether the problem persists in Chrome as well. My PC has been superscanned with five different products and it’s completely clean. Derick, can share how you think the proxies might be involved? You mean proxy servers can mix up cookie information of different users? Shouldn’t there be some protocol which prevent proxy servers from doing that??

http://derickng.com Derick Ng

@Hasina: I have no idea until some Googler fix this! :p

@madden: I doubt it is browser-related. I’m on Firefox. I am just suspecting a proxy issue because most (if not all) users who experience the issues are on SingNet and SingNet has this proxy round robin thingy which puts you on a different proxy for separate requests. You may want to see http://derickng.com/posts/28-singnet-external-proxy-ip-woes for more information. So the problem with that is that the proxy IP keeps changing and Google might have utilised this as part of the information to which they handle sessions? Just a wild guess.

Do you guys check the “Remember me on this computer” option when signing in? I am monitoring to see if this helps. This is yet another guess that Google sets some key via cookies which they use for the “Remember me on this computer” to the wrong recipient.

madden

I looked around in Google Support and found a page where I could report this, and so I did. The page is this:

If you are affected and annoyed or worried, etc., and feel like reporting it again, please go ahead. The issue at least merits appearing in Google’s “known issues” page and a great number of people reporting the same issue will get their attention. In the link provided above, at the bottom of the page, it says: If you’ve found a new problem that’s not listed on our Known Issues page, let us know and we’ll investigate. Sounded right, so I did it.

Hasina

Hey, yeah I used the remember me and sometimes, i don’t sign out at all! And I use firefox too, it’s suppose to be the safest haha

madden

Yup, I use “remember me” too, but lately I’ve stopped using it because of this problem. I’ll keep an eye on this too and see if there’s a pattern. Well, okay so it’s not an IE thing, that’s settled. As for proxy IP, my IP address hardly ever changes when I’m online. I can have the same IP for two days straight and it is very rare for my IP to change when I’m continously online.

madden

P.S. Beware of phishing emails pretending to offer assistance with this problem. Some of our e-mails have been exposed and anyone could just e-mail you pretending to be Google and offering “assistance” with this problem. The e-mail could look legitimate and even have a google.com domain. They might ask you to reveal your account info over e-mail or direct you to some bogus website. Google would never do that. Have your guard up!

http://derickng.com Derick Ng

I have updated this post. According to Priyan, Google has confirmed the fix. Update with your comments if it is not resolved for you.

At least I have not been experiencing any issues with myself logging into others account nor others logging into my account for the past 1 day. Might be not checking “remember me” or just lucky that Google fixed it.

I received a note from Google today (March 26, 2010) that they had blocked a collection of “my” photographs on Picasa because they were inappropriate. Since I have no Picasa account or collection and Oklahoma is decidedly not near Singapore, the problem of someone jumping into someone else's account is clearly not confined to Singapore. Actually I have no accounts with Google in the account name used, so I'm outta here. I commend you all to Windows Hotmail live. I'm signing the e-addy Google seems to think I am using.